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(U) OFFICE OF THE INSPECTOR GENERAL 

(U) Chartered by the NS A Director and by statute, the Office of the Inspector 
General conducts audits, investigations, inspections, and special studies. Its 
mission is to ensure the integrity, efficiency, and effectiveness of NSA operations, 
provide intelligence oversight, protect against fraud, waste, and mismanagement of 
resources by the Agency and its affiliates, and ensure that NSA activities comply 
with the law. The OIG also serves as an ombudsman, assisting NSA/CSS 
employees, civilian and military. 


(U) AUDITS 

(U) The audit function provides independent assessments of programs and 
organizations. Performance audits evaluate the effectiveness and efficiency of 
entities and programs and their internal controls. Financial audits determine the 
accuracy of the Agency’s financial statements. All audits are conducted in 
accordance with standards established by the Comptroller General of the United 
States. 


(U) INVESTIGATIONS 

(U) The OIG administers a system for receiving complaints (including anonymous 
tips) about fraud, waste, and mismanagement. Investigations may be undertaken in 
response to those, complaints, at the request of management, as the result of 
irregularities that surface during inspections and audits, or at the initiative of the 
Inspector Genera). 

(U) INTELLIGENCE OVERSIGHT 

I fi 

(U) Intelligence oversight is designed to insure that Agency intelligence functions 
comply with federal law, executive orders, and DoD and NSA policies. The IO 
mission is grounded in Executive Order 12333, which establishes broad principles 
under which IC components must accomplish their missions. 

(U) FIELD INSPECTIONS 

(U) Inspections are organizational reviews that assess the effectiveness and 
efficiency of Agency components. The Field Inspections Division also partners 
with Inspectors General of the Service Cryptologic Elements and other IC entities 
to jointly inspect consolidated cryptologic facilities. 
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I. (U) SUMMARY 


(b)(3)-P.L. 86-36 
(b) (6) 


(T3//31//RCL) On 8 January 2013J~ . • • l lnteiligence Oversight 

Officer ] I contacted the NSA/CS S Office oOnspector 

General (OIG) a nd stated that in October 2012. hd conducted a test o'fthe l • I 

l using an overly broad searc h term which resulted in* the retrieval.Of United States 
Person JUSP) communications. ! ~~| immediately reported the incident t<5 his leadership 

and filed an incident report with Oversight and Compliance (SV)..* 


(U//POCJO) In addition to obtaining swoftj testimony from ! | «we conducted an 

interview of his immediate supervisor at th*e.time of the incident. We’also obtained all pertinent 
records from SV. 


■(T8//SWRCL) The preponderance of the evidence^upports the conclusion that j " | 

viola ted!EO12 333, DoD 5240.1-R, and USSID SPt)018.when he intentionally used a selection 
termj |which resulted in the retrieval of USP coplmunications. 


t ♦ * 

(U/MKiO) A copy of die NSA/CSS OIG report will be forwarded to Employee Relations for 
information and any action deemed appropriate.* Also, a summary of the findings will be 
forwarded to the Associate Directorate for Security and Counterintelligence (ADS&CI). 
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(b)(3)-P.L. 86-36 
(b) (6) 


II. (U) BACKGROUND 


(b)(3)-P.L. 86-36 


(U) introduction 


* •• 

♦ •. 


(b) ( 


“[entered on. duty with the NS A iiif 


tTS/ ffil//RCLj 

on th d _ 

In January 2012, he was involved in an’incident where USP information was inadvertently 
obtai'ped I I After the incident, which was reported to. SV, 


) « • 

f He began workin 

inf 


J 


I 


J 


TS//S I //R.Kb » Despite being told othe rwise,! 


1 In October 2012. he ! 

■ i • « _x * 


Han overly 

broad search term ! I in a query which resulted in the retrieval oj USP information. He 

immediately filed an irfcid^nt report and contacted his management..* 


(U) Applicable Authorities 

(U) Below is a listing ofcitations. Refer to Appendix A for a full Table of Authorities. 

■ ■ 

. . 

• EO 12333 - United States Intelligence Activities 

• DoD Directive 5240.1 -R - Procedures Governing the Activities of DoD Intelligence 
Components tfiat Affect United States Persons 

• USSID SPOOrS - Legal Compliance and U.S. Persons Minimization Procedures 


(b) (1) 

(b)(3)-P.L. 86-36 
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III. (U) FINDINGS 


(b)(3)-P.L. 86-36 
(b) (6) 


(U//POUO) ALLEGA TION: Did | | in ten tionally qse a 'sel'ectiqrrtfrm that was 

reasonably likely to result in the interception ofcpnwuinications to orfrfiht a USP? 

. • * * .... 

(U//POUO) CONCLUSION^Substantiated. The preponderance of the evidence supports the 
conclusion that | intentionally used a selection term thdt was-reasqnably likely to 

result in the interception of communications to or from a.USP, in violation of EO 12333, 

Part 2.3, DoD 5240.1-R, Chapter 2, Procedures 2.3.1-2'.3.4.-f Chapter 14, Procedure 14 
C14.2.1,andUSSIDSP0018, §3.1,4.1, & 5.1(a). .♦* .* 


(U) Documentary Evidence 


(U) NSA/CSS Intelligence-Related Incident Report | 

♦ ♦ 

This incident report , completed byT 
«»'>?*?rred on 17 October 2012 wheril 


(b)(3)-P.L. 86-36 


summarizes the event 


located in Appendix B. ~ 

♦ ♦ 

|Training Record 


'id.eraife. incident report is 


(b) (1) 

(b)(3)-P.L. 86-36 


(U//FOUO)|_[training record reveglgj-thij; pffor to 17 October 201 2 , he took 

numerous courses regarding SIGINT authorities fhcfticfmg: 



(b) (6) 


-01AC1180 Annual IA Awareness Training (Most recent date of 
completion prior to the October 2012 incident: 4 September 2012) 
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(b) (3)-P.L. 86-36 


(U) Testimonial Evidence ; 


/ v-l 4-0011 


(b)(3)-P.L. 86-36 
(b) (6) 


(u/zpoHei .:. 

(U// TO UO ) Q it i5 March 2013,__J_ 

Officer ! | was interviewed by DI4 Senior investigator, 
investigation, and provided the following information. 


^inte lligence Oversight 
|as part of a separate 


>12 incident where USP communications were inadvertently 


obtained! 


(UZ /fOUQ) On 23 and 2 4 October 2013,|_^ 


3 and 2 _ _ __ 

Oversight Officer.[~~^ was interviewed'and proved t^e following sworn testimony. 


Intelligence 


tTS//Sl//t^r) In January 20 K 
was inadvertently obtained/ 


lwas involvedjn an incident wh ere USP information 

|This incident occurred 


and an incident repor 


v’as filed on 31 January 2012. 




(b) (1) 

(b) (3)-50 USC 3024 (i) 
(b)(3)-P.L. 86-36 


(b) (1) 

(b) (3)-50 USC 3024 (i) 

(b)(3)-P.L. 86-36 
(b) () Release: 20 










fTQ//oi// Nn R 

occurred. [ 


| was 

Jhad become increasii 


supervisor in Octob.er*2*Qr2*vCjieri.the incident 
increasingly frustrated with the lacVafitudit ‘controls in the 



]added that| lwas a very 

gooa analyst ana a solid performer and that his'ihtent-when conducting the'queryitvas not 
malicious. ... 


(U) Analysis and Conclusions 


(TS//SI//NF) According to Executive Order 12333 Part 2.3, elements of the Intelligence 
Community are authorized to collect, retain, or disseminate information concerning United 
States persons only in accordance with established procedures. DoD Directive 5240.1-R, 
Chapter 2, Procedure 2, C2.3.4.2 states that information that identifies a USP, may only be 
coiiddted under certain circumstances. Additionally, Chapter 14, Procedure 14, C14.2.I 



states, “employees shall conduct intelligence activities only pursuant to, and in accordance 
with. Executive Order 12333.^jpj| this Regulation.” According to USS1D SP0018, §3.1 & 
4.1, the United States SIGINl^'^i'^gm will not intentionally collect communications to, from, 
or about USPs. Further, §5.1 ||§||jes, “No selection term that is reasonably likely to result ’ 
in the interception of communications to or from a [USP]...may be used unless there is a 
reason to believe that foreign intelligence will be obtained from the use of such a selectiogfllj; 
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(b)(3)-P.L. 86-36 
(b) (6) 


top sEVt t immwmroRx 


(b)(3)-P.L. 86-36 


IV-14-0011 


tem" is, and wjis at .the tmte.qf the inci4ent, an Intelligence Oversight Officer 

(100) who has completed numerous courses otuthe applicable regulations. The SV website 
describes IOO’s as the “S1GINT compliaoce'expeYte.in the extended enterprise who help . 
ensure NSA operates compliantly \yitKin its SIGINT Au thorities:' Th erefore, by virtue of Jiis 
training and experience as a §I01NT compliance expert, | |was aware of the ; 

regulations and the prohibittons regarding-using overly broad search terms and conducting 
queries that would,reasonably be likely to result in USP communication. 

■ , * B ♦ 

(TOif/S l #N fo-ln his first account of the incident, documented on the incident report 


1 [testimony thar his intention was to show that the database was in compliance 

with regulations and did not contain USP information is not reasonable. 


(U// fOUO) Although ! ~| made attempts to report what he believed to be a non- 

compliant SIGINT system to the proper authorities, the fact that he disagreed with their 
conclusions does not justify using an overbroad search term, in violation of policy, to prove 
them wrong. The preponderance of the evidence supports the conclusion that ! | 

intentionally used a selection term that was reasonably likely to result in the interception of 
communications to or from a USP, in violation of EO1233 Part 2.3, DoD 5240.1-R, Chapter 
2. Procedures 2.3.1-2.3.4.2, Chapter 14, Procedure 14, Cl4.2.1, and USSID SPOOl8, §3.1, 
4.1, & 5.1(a). 


(b) (1) 

(b) (3)-P.L. 86-36 
(b) (6) 
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• IV. (U) RESPONSE TO TENTATIVE CONCLUSION(S) 




(U//TOU0) Auditing is defined under USS1D SPOOI9 as, “The process USSS elements 
and overseers use to review queries made against unevaluated, unminimized (raw) 
SIGINT data or repositories to ensure that the queries are compliant with U.S. laws and 
procedures that govern SIGINT activities. The types of auditing are: 


• (U/SFOUO) Active Auditing: The review of queries against raw SIGINT data or 
repositories that offer a significant risk of violating the privacy rights of U.S. persons 
(also known as post-query review). Any system, tool, database, or process which enables 
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a user to conduct alpha-numeric searches against raw SIGINT content is actively 
audited. This function is performed by the elements of a SIGINT mission; 

• (U/ /FOUO) Passive Logging (also known as Passive Auditing): The baseline auditing 
requirement imposed on raw SIGINT data and repositories to record information 
concerning their use. Passive logging tracks a user’s queries of raw SIGINT on a given 
system and may include a variety of information ranging from simple sign-in, sign-out 
times to the specific details of mouse clicks on a screen. The logs are not actively 
reviewed but are stored for potential compliance review at the discretion of SV. This 
function is performed by the system; 

• (U//f ?)U( >) Spot Checking: Process of auditing a portion or sampling of the queries 
executed within specific raw SIGINT data or repositories that have been approved for 
this type of auditing. This function is performed by the elements of a SIGINT mission; and 

• (U/ /FOUO) Super Auditing: The independent review of activities conducted against raw 
SJGINT systems, tools, or databases. This function is performed bySV. ” 

(T0//01//HP )| 


■ (TOiffl l iW frlf 



•.(TGffljIiWtf) 


• (TC.'/Cl.'ilir) As the conclusions cite, I was a trained and experi ence fsicl SIGINT 
’ Compliance expert. This fact contributed to the incident. | 




8 


(b) (1) 

(b) (3) -18 USC 798 
(b) (3)-50 USC 3024(i) 

(b) (3) -P . L - Re ^ e |gg? ^oi9-01 
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(U//F©UO) The information provided does not change the conclusion thatj | 

intentionally used a selection term that was reasonably likely to result in the interception of 
communications to or from a USP. However, due to hfc r.or] rpm| 

I 1 D 14.WIH torward a summary of 

concerns to D11 for their review, possible coordinajtion wftjvSV, and any follow up action 
deemed appropriate. * 
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V, (U) CONCLUSION 


(U//F6 U0 ) The preponderance of the evidence supports the conclusion that j | 

intentionally used a selection term that was reasonably likely to result in the interception of 
communications to or from a USP, in violation of E012333 Part 2.3, DoD 5240.1-*R, Chapter 
2, Procedures 2.3.1-2.3.4.2, Chapter 14, Procedure 14, Cl4.2.1, and USSID SPOG18, §3.1, 
4.1, & 5.1(a). 


(b)(3)-P.L. 86-36 
(b) (6) 
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V.(U) DISTRIBUTION OF RESULTS 


(U//FOUO) A copy of this report of investigation will be provided to Employee 
Relations for information and any action deemed appropriate. Also, a summary of 
the findings will be forwarded to the Associate Directorate for Security and 
Counterintelligence (ADS&C1). 



Investigator 


(b) (3)-P.L. 86-36 


Concurred by: 


Assistant Inspector General 
for 

Investigations 
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APPENDIX A 

(U) Applicable Authorities 
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(U) EXECUTIVE ORDER 12333, I^ITED STATES INTELLIGENCE ACTIVITIES, 

(U) Part 2.3 Collection of information 

(U) Elements of the Intelligence Community are authorized to collect, retain, or disseminate 
information concerning United States persons only in accordance with procedures established by 
the head of the Intelligence Community element concerned or by the head of a department 
containing such element and approved by the Attorney General, consistent with the authorities 
provided by Part 1 ofthb Order, after consultation with the Director. Those procedures shall 
permit collection, retention, and dissemination of the following types of information: 

(a) Information that is publicly Stable or collected with the consent of the person 
concerned; 

(b) Information constituting foreign intelligence or counterintelligence, including such 
information concerning corporations or other commercial organizations. Collection 
within the United States of foreign intelligence not otherwise obtainable shall be 
undertaken by the Federal Bureau of Investigation (FBI) or, when significant foreign 
intelligence is sought, by other authorized elements of the Intelligence Community, 
pppBfd that no foreign intelligence collection by such elements may be undertaken for 
tftS^pose of acquiring information concerning the domestic activities of United States 
persons; 

(c) Information obtained in the course of a lawful foreign 30 intelligence, 
counterintelligence, .international drug or international terrorism investigation; 

(d) Information needed to protect the safety of any persons or organizations, including those 
who are targeB. victims, or hostages of international terrorist organizations; 

(e) Information needed to protect foreign intelligence or counterintelligence sources, 
methods, and activities from unauthorized disclosure. Collection within the United States 
shall be undertaken by the FBI except that other elements of the Intelligence Community 
may also collect such information concerning present or former employees, present or 
former intelligence element contractors or their present or former employees, or 
applicants for such employment or contracting; 

(f) Information concerning persons who are reasonably believed to be potential sources or 
contacts for the purpose of determining their suitability or credibility; 

(g) Information arising out of a lawful personnel, physical, or communications security 
investigation; 

(h) Information acquired by overhead reconnaissance not directed at specific United States 
persons; 

(i) Incidentally obtained information that may indicate involvement in activities that may 
violate Federal, state, local, or foreign laws; and 

(j) Information necessary for administrative purposes. 

(U) In addition, elements of the Intelligence Community may disseminate information to each 
appropriate element within the Intelligence Community for purposes of allowing the recipient 
element to determine whether the information is relevant to its responsibilities and can be 
retained by it, except that information derived from signals intelligence may only be 
disseminated or made available to Intelligence Community elements in accordance with 
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procedures established by the Director in coordination with the Secretary of Defense and 
approved by the Attorney General. 


(U) DoD Regulation 5240.1-R, Procedures Governing the Activities of DoD Intelligence 
Components that Affect United States Persons 

(U) Chapter 2, Procedure 2. Collection of Information about United States Persons, C2.3. 
(U) Types of Information that may be collected about United States Persons: 

(U) Information that identifies a United States person may be collected by a DoD 
intelligence component only if it is necessary to the conduct of a function assigned the 
collecting component, and only if it falls within one of the following categories: 

(U) C2.3.I. Information Obtained With Consent. Information may be collected about a 
United States person who consents to such collection. 

(U) C2.3.2. Publicly Available Information. Information may be collected about a 
United States person if it is publicly available. 

(U) C2.3.3. Foreign Intelligence. Subject to the special limitation contained in section 
(U) C2.5., below, information may be collected about a United States person if the 
information constitutes foreign intelligence, provided the intentional collection of 
foreign intelligence about United States persons shall be limited to persons who are: 

(U) C2.3.3.1. Individuals reasonably believed to be officers or employees, 
otherwise acting for or on behalf, of a foreign power; 

(U) C2.3.3.2. An organization reasonably believed to be owned on controlled, 
directly or indirectly, by a foreign power; 

(U) C2.3.3.3. Persons or organizations reasonably believed to be,engaged or about 
to engage, in international terrorist or international narcotics activities; 4 ? 

(U) C2.3.3.4. Persons who are reasonably believed to be prisoners o'fw#r; missing 
in action; or are the targets, the hostages, or victims of international terrorist* 
organizations; or 

(U) C2.3.3.5. Corporations or other commercial organizations believed to have 
some relationship with foreign powers, organizations, or persons. 

(U) C2.3.4. Counterintelligence. Information may be collected about a United States 
person if the information constitutes counterintelligence, provided the intentional 
collection of counterintelligence about United States persons must be limited to: 

(U) C2.3.4.1. Persons who are reasonably believed to be engaged in, or about to 
engage in, intelligence activities on behalf of a foreign power, or international terrorist 
activities. 

(U) C2.3.4.2. Persons in contact with persons described in subparagraph C2.3.4.1., 
above, for the purpose of identifying such person and assessing their relationship with 
persons described in subparagraph C2.3.4.I., above. 


(U) Chapter 14, Procedure 14 — Employee Conduct, C14.2.1. Employee Responsibilities: 

(U) Employees shall conduct intelligence activities only pursuant to, and in accordance with, 
Executive Order 12333 (reference (a)) and this Regulation. In conducting such activities, 
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employees shall not exceed the authorities granted the employing DoD intelligence components 
by law; Executive Order, including E.O. 12333 (reference (a)), and applicable DoD directives. 


(U) United States Signals Intelligence Directive (USSID) SP0018, Legal Compliance and 
U.S. Persons Minimization Procedures 

(U) Policy and the USSS Foreign Communications Mission 

3.1 (U) The policy of the USSS is to TARGET or COLLECT only FOREIGN 
COMMUNICATIONS.*The USSS will not intentionally COLLECT communications to, from 
or about U.S. PERSONS or persons or entities in the U.S. except as set forth in this USSID... 


(U) Collection 

4.1 (G/ffil/fllCL) Communications which are known to be to, from or about a U.S PERSON 
| ' | will not be intentionally intercepted, or selected 

.through the use of a SELECTION TERM, except in the following instances... 

<U) Selection Terms 

*. 5. i Use of Selection Terms During Processing... 

...a. (S//S1//RCL) No SELECTION TERM that is reasonably likely to result in 
the INT ERCEPTION of communications to or from a U.S. Person (wherever 

* located)! —^ 

I | may be used unless there is reason to believe that FOREIGN 

INTELLIGENCE will be obtained by use of such SELECTION term... 


(b) (1) 
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The minimum clarification foi this fotm is The classification may b<? hiqhnr based on infomnahon input into 

ihe form Sro the "Overall Incident Classification* field on page 1. 
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(b) (1) 

(b) (3)-P.L. 86-36 
(b) (6) 
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